Category Archives: Macintosh Viruses and Trojans

Post navigation

For years and years, Apple maintained that an antivirus program was not required and Macintosh – and for many years, if you were careful – is was *largely* true.

The amount of Macintosh threats were minimal – and the cybercriminals simply didn’t go after Macintosh computers because their numbers were relatively low.

As Apple’s market share increased, these cybercriminals turned their attention to Macs – because they cost more – the customer who buy them are typically well off to affluent – and because often-times, they were plain easy to infect – because they lived in a bubble where clicking on bad-links and programs simply had no ill-effects.

Those days are GONE – pure history.

New Macintosh threats appear on a very regular basis – and some range from fairly benign popups, to full-blown banker-trojans.

The Flashback trojan has been all over the news lately, but it is not the only Mac malware threat out there at the moment. A few weeks ago, we published a technical analysis of OSX/Lamadai.A, the Mac OS X payload of a multi-platform attack exploiting the Java vulnerability CVE-2011-3544 to infect its victims. OSX/Lamadai.A has built-in features typical of a backdoor: namely download and execution of an arbitrary file, uploading of local files to the operator’s Command and Control (C&C) server, and spawning of a command-line shell.

After the technical analysis was done, we began the monitoring phase. This phase is very important because it allows for tracking of how the malware is used by its operator. We can catch new variants of the threat early on, or even a totally different malware family (as often seen in pay-per-install schemes), or see the operator launch Denial-of-Service attacks (or any other kind of malicious activity) from the infected systems.

The monitoring phase allowed us to witness a short, live dialog between our infected machine and the malware operator that we published this dialog in our initial analysis of OSX/Lamadai.A. This experience gave us some new ideas that we could put in place in order to gather more knowledge about this threat and the person or people behind it.

What we did is this: we planted some fake files in the home directory of our test “infected user” and waited for the operator to come back. About one week later, we got our first connection. Here are the highlights of the dialog that took place over a period of about 10 days. It started with a little reconnaissance in the ~/Documents directory. The Unix command ls is used to list directory content:

Then we see the theft of some Tibetan army status documents and a little porn for added value.

Now more reconnaissance and file theft, this time in the ~/Downloads directory.

It is quite interesting to see that the operator did not steal all the files we had put out for him. He left these three untouched:

2012_report.doc
application.zip
im5744.jpg

A few days went by during which the operator was only connecting to the system to issue some basic commands, most likely with a view to determining whether this was a newly infected system or not. The Unix command id returns the current user’s identity and the sw_vers command prints the OS version information.

We decided it was time to refresh the environment to simulate infection of a new user and to install interesting new files to the user’s home directory.

Shortly after the new environment was up and running, we got an incoming connection. Almost instantly, the operator issued a command to download and execute a file (technical details of the new file below)!

Immediately after, the operator ran a few netstat commands, most probably looking to see if the new payload was listening on the network properly. The Unix command netstat displays the network status of the system, such as network connections and routing table.

Not seeing what he wanted to see, our operator tried to re-execute the dropped executable! Let’s see how that turned out:

Yes, you do have to specify the path to the executable when /tmp is not in $PATH. In despair, he attempted to take some screenshots of the entire desktop window, using the OS X ‘screencapture’ command. Oddly enough, the file was not saved in his current work directory as it should have. We can’t explain why that happened.

Then, a few connection attempts later, the operator logged back on and totally lost it. He issued two Unix ‘rm’ commands, used to remove directory entries: one to remove the user’s home directory and one to remove the system’s root directory.

That concludes this dramatic episode of Monsieur Frustrated Operator. Now to some technical stuff.

One of the first things we did was to recover and analyze the Mach-O executable dropped onto our test machine. We were curious to see what that was: a new variant of OSX/Lamadai, or even a specialized new piece of software? Instead, we found it was the same variant of OSX/Lamadai with a hardcoded C&C server set to 127.0.0.1. This explains why the operator grepped his netstat output for “127.0.0.1”. However, the rationale behind this action is up for debate inside ESET’s Security Intelligence Laboratory. Some argue that the operator realized he was connected to a monitoring system instead of a real, infected one and wanted to redirect the traffic away from the real C&C. Others contend that it would have been easier for him to simply deactivate or remove the malware from the system.

Also, when we first analyzed OSX/Lamadai.A, we said that the malware did not have persistence capabilities on an OS X 10.7.2 system, as the path /Library/Audio/Plug-Ins/AudioServer was not user-writable. We looked a little deeper into this, as other researchers reported that the threat was indeed persistent on their machines. We realized that this very same path is user-writable in previous OS X versions (10.5/Leopard and 10.6/Snow Leopard). This is the cause of some potential confusion and a timely reminder of the benefits of upgrading to the latest version of OS X.

Credits go to Marc-Étienne M. Léveillé for the technical analysis and test environment setup, thanks to the usual suspects for reviewing and commenting this article.

Computerworld – Of the Macs that have been infected by the Flashback malware, nearly two-thirds are running OS X 10.6, better known as Snow Leopard, a Russian antivirus company said Friday.

Doctor Web, which earlier this month was the first to report the largest-ever malware attack against Apple Macs, mined data it’s intercepted from compromised computers to come up with its findings.

The company, along with other security vendors, has been “sinkholing” select command-and-control (C&C) domains used by the Flashback botnet — hijacking them before the hackers could use the domains to issue orders or update their attack code — to both estimate the botnet’s size and disrupt its operation.

In a Friday blog post, Doctor Web published an analysis of the communications between 95,000 Flashback-infected Macs and the sinkholed domains. Those communication attempts took place on April 13, more than a week after Doctor Web broke the news of the botnet’s massive size.

Flashback has used a critical vulnerability in Java to worm its way onto Macs. Although Apple, which continues to maintain Java for its OS X users, patched the bug in early April, it did so seven weeks after Oracle disclosed the flaw when it shipped Java updates for Windows and Linux.

Not surprisingly, 63.4% of the Flashback-infected machines identified themselves as running OS X 10.6, or Snow Leopard, the newest version of Apple’s operating system that comes with Java.

Snow Leopard accounted for the largest share of OS X last month, according to metrics company Net Applications, making it the prime target of Flashback.

Leopard, or OS X 10.5, is the second-most-common Flashback-infected operating system, said Doctor Web: 25.5% of the 95,000 Macs harboring the malware ran that 2007 edition.

Apple bundled Java with Leopard as well, but unlike Snow Leopard and Lion, it no longer ships security updates for the OS, and so has not updated Java on those Macs.

Last month, Leopard powered 13.6% of all Macs.

But while Snow Leopard’s and Leopard’s infection rates are higher than their usage shares, the opposite’s true of OS X 10.7, or Lion. The 2011 OS accounted for 39.6% of all copies of OS X used last month, yet represented only 11.2% of the Flashback-compromised Macs.

That disparity seems to validate Apple’s 2010 decision “deprecate” Java, or stop bundling the software with OS X. Lion was the first to omit Java, although users have been free to download and install it themselves.

Doctor Web did not connect those dots in its analysis, but the numbers make clear that versions of Mac OS X that included Java — Snow Leopard and Leopard — are much more likely to be infected by Flashback. Conversely, Lion — by default, sans Java — is significantly more resistant to the malware.

Twenty-four percent of the Snow Leopard-infected Macs were at least one update behind, 10.4% were three or more behind, and 8.5% were four or more behind.

Lion users were no better patch practitioners: 28% were one or more updates behind.

Of course, not all Windows users patch, either. According to Qualys, which regularly examines several hundred thousand PCs, 5% to 10% of business Windows machines never receive any given update.

Qualys has seen some Microsoft updates be ignored by 20% to 30% of Windows PCs for four months or longer.

But by Doctor Web’s data, Mac users are even less likely to update promptly, or even at all. OS X 10.6.7, the second-to-last update for Snow Leopard, was first issued 13 months ago, yet 9% of the infected Snow Leopard Macs run that version.

To protect Snow Leopard and Lion systems from the Java-exploiting Flashback, users should launch Software Update from the Apple menu and download this month’s Java updates. Software Update will also serve the newest version of those operating systems to Macs running outdated editions.

People running Leopard can disable Java in their browser(s) to stymie attacks.

Later this year, Oracle will release Java 7 for OS X. Mac users who upgrade to Java 7 will then receive security updates directly from Oracle, not from Apple.

Speaking to CBR at the Info Security 2012 conference, Kaspersky founder and CEO Eugene Kaspersky said that Apple is years behind Microsoft when it comes to security, and the company will have to change the ways it approaches updates following the recent malware attacks.

“I think they [Apple] are ten years behind Microsoft in terms of security,” Kaspersky said. “For many years I’ve been saying that from a security point of view there is no big difference between Mac and Windows. It’s always been possible to develop Mac malware, but this one was a bit different. For example it was asking questions about being installed on the system and, using vulnerabilities, it was able to get to the user mode without any alarms.”

Kaspersky said that his company was seeing an increasing amount of malware aimed at the Mac platform. He puts this increase in malware down to the increase in Mac market share.

“Cyber criminals have now recognised that Mac is an interesting area,” Kaspersky said. “Now we have more, it’s not just Flashback or Flashfake. Welcome to Microsoft’s world, Mac. It’s full of malware.”

Kaspersky believes that Apple is going to have to change significantly the way it approaches keeping its users protected from malware.

“They [Apple] will understand very soon that they have the same problems Microsoft had ten or 12 years ago. They will have to make changes in terms of the cycle of updates and so on and will be forced to invest more into their security audits for the software.”

Apple, with more than $100 billion in the bank, is certainly in a position where it could do whatever it takes to offer is users more protection from malware. But it remains to be seen whether it has learned the lessons from the recent malware attacks against its platform.

Our Take: It was only a matter of time – for the “right amount” of mac users to accumulate – before Cyber-Criminals turned their attention to the Mac as a malware target. The fact that Mac users have an added sense of “invulnerability” makes them a little EASIER to target with social engineering – they think they can click on links without as much risk as their PC owning friends… those days are GONE. Protection using a quality Anti-Malware such as ESET CyberSecurity is ESSSENTIAL – more so every day.

The source of the Apple Mac Flashback Trojan was probably a large clutch of compromised US-based WordPress blog websites hijacked to push visitors to malware hosts, Kaspersky Lab research has revealed.

As has previously been established by various sources, between September 2011 and February of this year, the malware was distributed using social engineering attacks that asked users to download a bogus Adobe Flash Player plugin.

By late February this strategy changed thanks to a new partner program which distributed the malware as a drive-by attack hitting three common Java vulnerabilities via compromised websites.

Websense has estimated the number of infected WordPress sites to be 30,000, with others putting the number as high as 100,000 but what matters is that the overwhelming majority – 85 percent – were based in the US. This would explain the unusually high infection rates among North American-based Mac users which accounted for 78 percent of the bots found by Kaspersky.

Some of the sites used to host the attack could have become infected after nave admins installed a rogue WordPress utility, ToolsPack. This inserted a simple script on the site capable of redirecting vulnerable users to a malware host.

Kaspersky reports that 205,622 Mac users have checked for infection on the flashbackcheck.com website it set up, with 3,624 of these turning out to be infected, a malware rate under 2 percent. The overall infection numbers have declined rapidly since last week.

“Apple is not used to reacting to these kinds of attack,” said Kaspersky researcher, Vincente Diaz.

The company was in the habit of writing its own patches for Java vulnerabilities instead of simply applying those coming from Java overseer, Oracle. In the case of Flashback, this had introduced delays to those patches being applied, he said.

“Mac OS invulnerability is a myth.”

Criminals were now able to attack OS X systems using cross-platform (i.e Java) malware re-purposed from the PC world. Mac users were an attractive target and its user base should expect more attacks during 2012 despite the appearance of Apple’s GateKeeper security in Mountain Lion.

Apparently not all Mac users got the memo about Flashback, the malware that recently infected more than 600,000 computers running OS X. According to security firm Symantec, roughly 140,000 Mac computers were still infected as of April 16.

“The statistics from our sinkhole are showing declining numbers on a daily basis,” a Symantec blog post said. “However, we had originally believed that we would have seen a greater decline in infections at this point in time, but this has proven not to be the case.”

Apple offers a standalone Flashback malware removal tool, along with a Java update that also removes Flashback. Even if you don’t have Java on your machine — it’s not included in OS X Lion by default — you should still install the patch.

Flashback is considered to be the largest Mac malware threat to date. Compared to the massive Conficker botnet for Windows PCs, Flashback compromised a larger percentage of Mac computers. Flashback emerged last year, masquerading as an update for Adobe Flash, but later gained the ability to install itself automatically when users visited a compromised website. On infected computers, Flashback will attempt to harvest information from Web browsing activities and will send that information to remote command-and-control servers.

Although Flashback’s infection numbers were first reported this month, the underlying Java vulnerability had been patched by Oracle in February. As a result, Apple has faced criticism for being quick to point out the security of Mac OS X, but slow to address security problems, however rare they may be.

Following the outbreak of Flashback, security researchers have discovered a pair of new Mac malware threats, but so far they have only been spotted in targeted political attacks.

Mac users were once relatively insulated from malware attacks, if only because their OS platform didn’t attract the attention of criminals. But now a spike in security threats is making it clear that the bad guys are no longer ignoring Apple’s OS X.

The latest Mac security threat, a variant of the “LuckyCat” attack, takes advantage of an exploit in Microsoft Word documents, giving a remote attacker the ability to plunder infected systems, and steal data by hand.

It’s an exploit that’s been around for almost three years now, and is completely preventable if you keep your system up to snuff with security updates. The fact that it’s only now getting widespread publicity indicates how historically lackadaisical Mac users have been toward security — and that this attitude needs to change.

“I think this is a wake-up call that people running OS X need to start patching and updating their systems more,” Marcus Carey, a security researcher with vulnerability management firm Rapid7, told Wired. “Patching is the number one thing anyone can do to protect their computer.”

In the past, malicious attacks on the Mac platform have been few and far between. More than 90 percent of the desktop market share used to go to Windows, so that’s where cybercriminals focused their time. But in recent months, OS X adoption has been rising, and similarly the number of threats (like last year’s MacDefender trojan horse) have been rising.

“The OS X platform has always been as potentially hacked and compromised as any other platform, but it just hasn’t been targeted until now,” Dave Marcus, director of advanced research and threat intelligence with McAfee Labs, told Wired.
The Flashback Trojan gained notoriety earlier this month for infecting upwards of 650,000 Macs. Flashback used a Java-based security flaw to install itself onto systems, but Apple patched and issued a security update for it last week. (Public service announcement: Update your Mac right now, if you haven’t already).

“The interesting thing about the exploits over the past few days is that the bad guys are using the same techinques on a Mac as they’d use on a PC or tablet,” Marcus said. “They’re using rigged documents and websites, Java exploits — very much mimicking the methodology used in the PC world.”

Carey noted that cross-platform programs like Microsoft Office, Adobe PDF products, Java, and Flash are likely to continue to be targets for malicious coders since they can get more bang for the buck, utilizing a single vulnerability that affects Mac and Windows users alike.

And Peter James, a spokesperson with Mac antivirus software company Intego, said now that cybercriminals have seen that these techniques work so well, we’ll be seeing more of them.

“With the Mac Defender trojan and Flashback, it’s clear these attacks will continue,” James said. “Someone has peeked inside a door and seen that they can actually work. It may not get worse, but it’s not going to get better.”

If you’re serious about Mac OS X security, we recommend these tips from Kaspersky Lab expert Costin Raiu. But for most of us, adding some antivirus software and staying abreast of system updates should be more than enough to stay protected

Our take: The tips recommend staying up to date with MacOS updates – which by default ship as “check once every week” – these settings are nowhere near enough without an antivirus – we recommend changing this settings – in the System Preferences find the “Software Update” – under “Scheduled Check” – change the drop-down from “Weekly” to “Daily” – it will take you less than 30 seconds.

However, this is NOT enough, as Apple has not proved themselves to be on the ball with releasing some of their updates – a Macintosh Anti-Malware program such as ESET CyberSecurity for Macintosh is a relatively low-cost second level of protection that is well worth the cost.

The biggest Mac botnet ever encountered, the OSX/Flashback botnet, is being hit hard. On April 12th, Apple released a third Java update since the Flashback malicious code outbreak. This update includes a new tool called MRT (Malware Removal Tool) which allows Apple to quickly push malware removal code to their user base. The first mission of MRT: remove Flashback.

A lot of researchers and security companies have been interested in OSX/Flashback. Many have published observations and partial results, generating a lot of buzz. ESET has been actively investigating the OSX/Flashback botnet. ESET was one of the first companies to implement a sinkhole to monitor the botnet. We can confirm the magnitude of the infection spread reported by other companies: we have seen more than 491,793 unique IDs coming from over 749,113 unique IP addresses connecting to our sinkhole. We are actively collaborating with the security community, sharing the results of our reverse engineering efforts and sinkhole data.

The OSX/Flashback malware can infect computers by multiple means. In the last couple of months, we have seen it spread as a fake Adobe Flash player (hence its name) and through exploits. The bulk of the infections happened recently when a group of websites started distributing the malware through drive-by download, exploiting the CVE-2012-0507 vulnerability in Java.

The first stage component of OSX/Flashback is a dropper, its only functionality is to contact a command and control server, download additional components and run them. Some of the variants of the dropper we have seen would also load a library. When installed, the library will load with any application on the system. It hooks the system functions responsible for communication and is in a position to alter web pages and spy on users’ internet activity and behaviour. It is still unclear to us if this spying is used to display unsolicited advertisements in the browser of infected computers or to steal information.

When it comes to disclosing a realistic number of unique infected hosts, we strive to be as accurate and objective as possible. Defining a unique host is not trivial, even if OSX/Flashback uses hardware UUIDs. Our data indicates many UUIDs that connected to our sinkhole (a server we set up to capture incoming traffic from bot-infected machines trying to communicate with their command-and-control servers), came from a big range of IP addresses, indicating that there may be UUID duplicates. Virtual Machines or so-called Hack-intosh installations may explain this.

When browsing Hack-intosh forums, we found out that everyone who is using the fourth release candidate of a special distribution has the same hardware UUID (XXXXXXXX-C304-556B-A442-960AB835CB5D) and even discuss ways to arbitrarily modify it.

Oddly enough, we found this UUID connected to our sinkhole from 20 different IP addresses. This indicates that those who considered UUID to count the number of distinct infected hosts probably have underestimated the botnet size.

Flashback evolved a lot in the last few months. The authors moved fast and added obfuscation and fallback methods in case the main C&C server is taken down. The dropper now generates 5 domain names per day and tries to get an executable file from those websites. The latest variants of the dropper and the library encrypt its important strings with the Mac hardware UUID. This makes it difficult for researchers to analyze a variant reported by a customer if they don’t also have access to the UUID.

The fallback mechanism that Flashback uses when it is unable to contact its C&C servers is quite interesting. Each day, it will generate a new Twitter hashtag and search for any tweet containing that hashtag. A new C&C address can be provided to an infected system this way. Intego reported this last month, but the latest version uses new strings. Twitter has been notified of the new hashtags and are working on remediations to make sure the operator of the botnet cannot take back control of his botnet through Twitter.

To protect your Mac OS X computers we highly recommend applying the latest update from Apple. In addition, users can also download a (free) trial version of ESET Cybersecurity for Mac to scan their computer for infection and clean any threat that might be found on the system.

Thanks to Marc-Etienne Léveillé and Alexis Dorais-Joncas for their contribution to this research.

Mac users are facing a new malware threat called LuckyCat, fresh on the tail of Flashback. This new trojan targets a security flaw in Microsoft Word to spread its malware payload via Java exploits.

Costin Raiu from Kaspersky Lab said in a SecureList blog post said LuckyCat was difficult to track down at first. “One of the biggest mysteries is the infection vector of these attacks. Given the highly targeted nature of the attack, there are very few traces,” he said. “Nevertheless, we found an important detail which is the missing link: Six Microsoft Word documents, which we detect as Exploit.MSWord.CVE-2009-0563.a.”

He added that there is evidence suggesting the malware payload was delivered through Word documents.

So far, it looks like the payload LuckyCat leaves behind can be used to remotely access the contents of an infected Mac. Based on Kaspersky’s data, attackers haven’t automated the process of scanning user’s hard drives, so they have to manually review the contents. Once they do that, however, attackers can copy specific files from victim’s hard drives.

Details are still slim on LuckyCat, so malware detection tools aren’t much help yet. As researchers learn more, we’ll likely see security patches and removal tools for Mac users that have been infected.